Europaisches Patentamt 
0Jj\ European Patent Office 
'"' Office europeen des brevets 



(43) Date of publication: 

17.05.2000 Bulletin 2000/20 



(21) Application number: 99308672.7 

(22) Date of filing: 02.11.1999 



iiiiiiiiiswniiiiiii 

(H) EP 1 001 570 A2 

EUROPEAN PATENT APPLICATION 

(51) Intel 7 H04L 9/32 



(84) Designated Contracting States: 

AT BE CH CY DE DK ES Fl FR GB GR IE IT LI LU 
MC NL PT SE 

Designated Extension States: 
AL LT LV MK RO SI 

(30) Priority: 09.11.1998 US 188818 

(71) Applicant: LUCENT TECHNOLOGIES INC. 
Murray Hill, New Jersey 07974-0636 (US) 



(72) Inventors: 

• Berenzweig, Adam L. 

New York, New York 10003 (US) 

• Brathwaite, Carlos Enrique 
Orangeny, New Jersey 07050 (US) 

(74) Representative: 

Watts, Christopher Malcolm Kelway, Dr. et al 

Lucent Technologies (UK) Ltd, 

5 Mornington Road 

Woodford Green Essex, IG8 OTU (GB) 



(54) Efficient authentication with key update 

(57) A more efficient method for performing authen- 
tication is provided by using an authentication challenge 
transmitted to a terminal to provide the terminal with the 
information to calculate authentication and cipher key 
values. As a result, a separate communication is not re- 
quired to provide the terminal with key values. A visiting 
authentication center obtains a random value Rj, an au- 
thentication key value K A and a cipher key value K c from 
a home authentication center. The visiting authentica- 



tion center then transmits the random number R T to the 
terminal to update the terminal's authentication key and 
cipher key values, and to challenge the terminal as part 
of an authentication process. The terminal uses Rj to 
calculate the authentication key value K A and the cipher 
key value K c , and to respond to the visiting authentica- 
tion center's challenge. In addition, the authentication 
key value is used to verify the visiting network's re- 
sponse to the terminal's authentication challenge to the 
network. 
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Description 

Background of the Invention 
Field of the Invention 

[0001] The present invention relates to communica- 
tions, more specifically, the authentication of communi- 
cating parties in wireless communication systems. 

Description of the Related Art 

[0002] FIG. 1 illustrates a base station 10, its associ- 
ated cell 12 and mobile 14 within cell 12. When mobile 
14 first registers or attempts communications with base 
station 10, base station 10 authenticates or verifies the 
mobile's identity before allowing the mobile access to 
the communication network. When mobile 1 4 is in a net- 
work other than its home network, it is referred to as 
being in a visiting network The home network is the net- 
work controlled by the service provider that has con- 
tracted with the mobile terminal's owner to provide wire- 
less communication services. If the mobile is operating 
in a visiting communication network, the authentication 
of the mobile by base station 10 will involve communi- 
cating with authentication center 16 of the mobile's 
home network. In the example of FIG. 1 , mobile 14 is in 
a visiting network. As a result, the authentication of mo- 
bile 14 involves communicating with authentication 
center 1 6 of the mobile's home network. When mobile 
1 4 attempts to access the visitor network, base station 
10 communicates with authentication center 18 of the 
visiting communication network. Authentication center 
18 determines from a mobile or terminal identifier, such 
as the telephone number of mobile 14, that mobile 14 is 
registered with a network that uses home authentication 
center 16. Visiting authentication center 18 then com- 
municates with home authentication center 16 over a 
network such as IS41 signaling network 20. Home au- 
thentication center 16 then accesses a home location 
register 22 which has a registration entry for mobile 14. 
Home location register 22 may be associated with the 
terminal or mobile by an identifier such as the mobile's 
telephone number. The information contained in the 
home location register is used to generate encryption 
keys and other information that is then supplied to visitor 
location register 24 of visitor authentication center 18. 
The information from visitor location register 24 is then 
used to supply base station 1 0 with information that is 
transmitted to mobile 14 so that mobile 14 can respond 
and thereby be authenticated as a mobile that is entitled 
to receive communication services. 
[0003] FIG. 2 illustrates the authentication procedure 
that is used in GSM wireless networks. In this case, both 
the mobile and home location register contain a key Kj. 
When the mobile requests access to the visiting net- 
work, the visiting authentication center contacts the 
home authentication center to receive the variables 



RAND, SRES, and K c . The home authentication center 
uses the value Kj from the home location register asso- 
ciated with the mobile to generate the values SRES and 
K c . The value SRES is calculated by using an crypto- 
5 graphic function known as A3 with a random number 
RAND as an input and the value K t as a key Input. In a 
similar fashion, the cipher key K c is calculated by using 
an cryptographic function A8 with RAND as an input and 
the value K, as a key input. These values are then trans- 

io ferred to the visitor location register of the visiting au- 
thentication center. The visiting authentication center 
then challenges the mobile by transmitting the random 
number RAND to the mobile. The mobile then calculates 
the values SRES and K c in the same fashion as calcu- 

is lated by the home authentication center. The mobile 
then transmits the value SRES to the visiting authenti- 
cation center where the visiting authentication center 
compares the received SRES from the mobile with the 
SRES received from the home authentication center. If 

20 the values match, the mobile is allowed access to the 
visiting network. If further communications between the 
mobile and visiting network are to be encrypted, they 
are encrypted using the A5 cryptographic lunction with 
the message to be encrypted as an input and with the 

25 key input equal to the value K c The cryptographic func- 
tions A3, A5 and A8 are well known in the art and are 
recommended by the GSM standard. In the GSM sys- 
tem, this authentication process, including the commu- 
nication with the home authentication center, is carried 

30 out each time the mobile enters into a new call with the 
visiting network. 

[0004] FIGS 3a and 3b illustrate the'authentication 
process used for an IS41 compliant network. Examples 
of IS41 compliant networks are networks that use 

3S AMPS, TDMA or CDMA protocols. In this system, both 
the mobile and home location register contain a secret 
value called AKEY. When the mobile requests access 
to a visiting network, the visiting network authentication 
center requests data from the home authentication cent- 

40 er. Before the actual authentication process can start, a 
key update is performed by providing both the mobile 
and visitor location register with keys that will be used 
with encryption algorithms for authentication and com- 
munication. The home location register associated with 

45 the mobile is located using an identifier such as the mo- 
bile's telephone number and the AKEY value stored in 
the home location register is used to produce the data 
that will be transmitted to the visitor location register. 
The values calculated are the SSDA (Shared Secret Da- 

so ta A) and SSDB (Shared Secret Data B) values. These 
values are calculated by performing the CAVE algorithm 
using a random number R s as an input and the value 
AKEY as the key input. The CAVE algorithm is well 
known in the art and is specified in the IS41 standard. 

55 The home authentication center then transfers the val- 
ues R s , SSDA and SSDB to the visitor location register 
of the visiting network. The visiting network then up- 
dates the shared secret data (SSDA and SSDB) that will 



2 



3 



EP 1 001 570 A2 



be used by the mobile by transmitting R s to the mobile. 
The mobile then calculates the SSDA and SSDB in the 
same fashion as calculated by the home authentication 
center. Now that the mobile and visitor location register 
both contain the SSDA and SSDB values, the authenti- 
cation process may take place. 

[0005] FIG. 3b illustrates how a mobile is authenticat- 
ed within a visiting network after both the mobile and 
visiting location register have received the keys SSDA 
and SSDB. The visiting authentication center challeng- 
es the mobile by sending a random number R N to the 
mobile. At this point both the mobile and visiting authen- 
tication center calculate the value AUTHR where AU- 
THR is equal to the output of the CAVE algorithm using 
the random number R N as an input and the SSDA value 
as the key input. The mobile then transmits the calcu- 
lated VHlue AUTHR to the visiting authentication center 
The visiting authentication center compares its calculat- 
ed value of AUTHR and the value received from the mo- 
bile II the values match, the mobile is authenticated and 
it is given access to the visiting network. In addition, both 
the mobile and the visiting authentication center calcu- 
late the value of cipher key K c where the value Kc is 
equal to the output of the CAVE algorithm using the val- 
ue R N as an input and the value SSDB as the key input. 
At this point, communications between the mobile and 
visiting network are permitted and may be encrypted us- 
ing an cryptographic function where the inputs are the 
message to be encrypted and the key Kc . The crypto- 
graphic functions are specified CDMA and TDMA sys- 
tems by their respective standards. It should be noted 
that with regard to IS41, communications between the 
visiting authentication center and the home authentica- 
tion center are only carried out each time the mobile reg- 
isters with the visiting network as opposed to each time 
a call is made to the mobile. 

[0006] The methods discussed above illustrate a way 
for verifying that the mobile is authorized to have access 
to the network, but they do not deal with the mobile ver- 
ifying that it is being asked to identify itself by a legiti- 
mate network. FIG. 4 illustrates a proposal for an im- 
provement to the IS41 standard that allows for mutual 
authentication between a visiting network and a mobile. 
FIG. 4 illustrates the process of mutual authentication 
once both the mobile and visiling location register have 
received the values SSDA and SSDB as was discussed 
above with regard to FIG. 3a. The visiting network chal- 
lenges the mobile by transmitting the random number 
R N . The mobile then responds by performing a calcula- 
tion to obtain the output of an cryptographic function F 1 
using the values R N and R M as inputs and the value SS- 
DA as a key input. In this case, the f\, is the same value 
that was transmitted by the visiting network and the val- 
ue R M is a random number calculated by the mobile. In 
addition to transmitting the output of this cryptographic 
function, the value R M is also transmitted in unencrypted 
form to the visiting network. The visiting network calcu- 
lates the output of the F 1 cryptographic function using 



the values R N and the unencrypted form of R M as inputs 
to the F 1 cryptographic function with the value SSDA as 
a key input. This output value is compared to the value 
received from the mobile, and if they match, the mobile 

s is verified or authenticated. The visiting network is then 
authenticated or verified by the mobile by responding to 
the challenge supplied by the mobile in the form of value 
R M . The visiting authenticatbn center then transmits the 
output of the cryptographic function F 2 using the value 

io r m as an input and the value SSDA as a key input. The 
mobile then performs the same calculation and com- 
pares the value it received from the visiting network with 
the value it obtained from the output of cryptographic 
function F 2 using key value SSDA and value R M . If the 

is values match, the mobile considers the network authen- 
ticated or verified and continues to communicate with 
the network Both the visiting authentication center and 
the mobile calculate the value for cipher key Kq by ob- 
taining the output of cryptographic function F 3 . using the 

20 values R N and R M as inputs and the value SSDB as a 
key input Al this point, the mobile and visiting network 
can communicate; however, if encrypted communica- 
tions are desired, the messages are encrypted using the 
encryption algorithm F 4 with the message to be encrypt- 

25 ed as an input and the value K^asa key input Crypto- 
graphic functions F 1 , F 2 , and F 3 may be hash functions 
or a one cryptographic function such as SHA-1, and 
function F 4 may be a cryptographic function such as 
DES. Hash functions, one way cryptographic functions 

30 such as SHA-1 and cryptographic functions such as 
DES are well known in the art. 

[0007] The proposed mutual authentication process 
suffers from inefficiency in that it requires that both the 
mobile and the visiting locaiion register have the values 

35 SSDA and SSDB before the authentication process may 
start. As a result, at least two sets of communications 
are required between the mobile and the visiting authen- 
tication center. The first set of communications provide 
the mobile with information used to calculate values SS- 

io DA and SSDB. The second set of communications are 
used to perform the mutual authentication. 

Summary of the Invention 

45 [0008] The present invention provides a more efficient 
method for performing authentication by using an au- 
thentication challenge transmitted to a terminal to pro- 
vide the terminal with the information to calculate au- 
thentication and cipher key values. As a result, a sepa- 

50 rate communication is not required to provide the termi- 
nal with key values, and the inefficiency of the two sets 
of communications is eliminated. A visiling authentica- 
tion center obtains a random value Ry, an authentication 
key value K A and a cipher key value Kc from a home 

55 authentication center. The visiting authentication center 
then transmits the random number Rj to the terminal to 
update the terminal's authentication key and cipher key 
values, and to challenge the terminal as part of an au- 
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thentication process. The terminal uses to calculate 
the authentication key value K A and the cipher key value 
K c , and to respond to the visiting authentication center's 
challenge. In addition, the authentication key value is 
used to verify the visiting network's response to the ter- 
minal's authentication challenge to the network. 

Brief Description of the Drawings 

[0009] 

FIG. 1 illustrates the communication between a mo- 
bile, visiting network, and home network; 
FIG. 2 illustrates the authentication process for a 
GSM network; 

FIGS. 3a and 3b illustrate the key update and au- 
thentication process for an IS41 compliant network; 
FIG. 4 illustrates a proposed mutual authentication 
method; and 

FIG. 5 illustrates a method for performing key up- 
dates and mutual authentication. 

Detailed Description 

[0010] FIG. 5 illustrates a method where a single ran- 
dom value transmitted to a mobile or stationary terminal 
is used to both update the authentication and cipher key 
values of the terminal and to provide an authentication 
challenge to the terminal. Mobile or stationary terminal 
70, and home location register 72 share key value K ; . 
When mobile terminal 70 requests access to a visiting 
network, the visiting authentication center contacts the 
home authentication center to obtain the random value 
R T , authentication key value K A and cipher key value 
K c . In response to this request, the home authentication 
center accesses the home location register 72 associ- 
ated with mobile terminal 70 using an identifier such as 
a telephone number provided by the mobile terminal via 
the vi5iting authentication center. The home authentica- 
tion center then calculates authentication key value K A 
by taking the output of cryptographic function F A using 
random number R T as an input and the value K ( as a 
key input. Additionally, the home authentication center 
calculates the cipher key value «<- using the output of 
cryptographic function FC using the value R T as an input 
and the value as a key input. Once these values are 
calculated, the home authentication center communi- 
cates the values Ft T , K A , and K c to the visiting authen- 
tication center. The visiting authentication center then 
stores the values K A , K c and Rt in the visiting location 
register associated with mobile terminal 70. The visiting 
authentication center then communicates the value R T 
to mobile terminal 70 as both an authentication chal- 
lenge and as a value that will be used to update the au- 
thentication and cipher key values used by the mobile ss 
terminal. The mobile terminal uses the value Rj re- 
ceived from the visiting authentication center to calcu- 
late the authentication key value K A and the cipher key 



value K c in the same fashion as the values were calcu- 
lated by the home authentication center. The mobile ter- 
minal then uses the authentication key value K A to re- 
spond to the visiting authentication center's authentica- 
tion challenge. The mobile terminal determines the out- 
put of cryptographic function F 1 using the values R T and 
R M as inputs and the authentication key value K A as a 
key input; however, it is also possible to use the value 
R T rather than both R T and R M as inputs. The output of 
the cryptographic function F1 and the value R M are com- 
municated to the visiting authentication center; however 
the value R M may not be transmitted if R M was not used 
as an input for cryptographic function F 1 and if authen- 
tication of the network is not required. The value R M is 
a random value chosen by the mobile terminal. The vis- 
iting authentication center also calculates the value of 
the output of function Ft with inputs R T and R M , and key 
input value K A so that the result can be compared with 
the value communicated by the mobile terminal. If the 
values match, the mobile terminal is then authenticated 
or verified to the visiting network. The value R M provided 
by the mobile terminal is used as an authentication chal- 
lenge to the visiting network by mobile 70. The visiting 
network calculates the output of function F 2 using the 
value R M as an input and the value K A as a key input. 
This output value is then communicated to the mobile 
terminal where the terminal independently determines 
the output of function F 2 with the value R M as an input 
and the value K A as a key input. If the output values 
match, the mobile terminal then verifies or authenticates 
the visiting network. Once both the mobile terminal and 
visiting network have authenticated or verified each oth- 
er's identities, communication may continue. The com- 
munication may pass using unencrypted messages or 
encrypted messages. If encrypted messages are used, 
the messages are encrypted by using the output of cryp- 
tographic function F 2 with the message as an input and 
the cipher value K c as a key input. This process may be 
carried out each time a call is attempted between the 
mobile terminal and visiting network. It is also possible 
to contact the home authentication center each time the 
mobile registers with a visiting network rather than each 
time a call is attempted, and to use the same values of 
k a K c and r t as ,on 9 as the mobile remains registered 
with the visiting network. Cryptographic functions F' , F 2 , 
FA and F c may be hash functions or a one cryptographic 
function such as SHA-1 , and function F 3 may be a cryp- 
tographic function such as DES. Hash functions, one 
way cryptographic functions such as SHA-1 and cryp- 
tographic functions such as DES are well known in the 
art. 

[0011] It is also possible to carry out the same proce- 
dure when the mobile terminal is in the home network. 
In this case, the home authentication center, rather than 
the visiting authentication center, communicates with 
the mobile terminal. In a wireless network, the commu- 
nications between the terminal and authentication cent- 
er pass through a wireless base station. 
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Claims 

1. An authentication method, comprising the steps of: 

transmitting a first value to a terminal; 
receiving a response from the terminal having 
at least a first response value, where the first 
response value is al least part of an output of a 
first cryptographic function using at least a first 
portion of the first value as an input and a first 
key value as a key input, the first key value be- 
ing at least a portion of an output of a second 
cryptographic function using at least a second 
portion of the first value as an input and a sec- 
ond key value as a key input; and 
verifying the first response value is equal to an 
expected first response value. 

2. The method of claim 1, wherein the response has 
a second response value and further comprising the 
step of transmitting a second value to the terminal, 
where the second value is at least a portion of an 
output of a third cryptographic function using at 
least a portion of the second response value as an 
input and a third key value as a key input. 

3. An authentication method, comprising the steps of: 

transmitting a first value to a terminal; 
receiving a response from the terminal having 
at least a first response value and a second re- 
sponse value, where the first response value is 
at least part of an output of a first cryptographic 
function using at least a first portion of the first 
value and at least a first portion of the second 
response value as inputs and a first key value 
as a key input, the first key value being at least 
a portion of an output of a second cryptographic 
function using at least a second portion of the 
first value as an input and a second key value 
as a key input; and 

verifying that the first response value is equal 
to an expected first response value. 

4. The method of claim 1 or claim 3, wherein the sec- 
ond key value is associated with the terminal. 

5. The method of claim 3, further comprising the step 
of transmitting a second value to the terminal, 
where the second value is at least a portion of an 
output of a third cryptographic function using at 
least a second portion of the second response value 
as an input and a third key value as a key input. 

6. An authentication method, comprising the steps of; 

receiving a first value; and 

transmitting a response having at least a first 



response value, where the first response value 
is at least part of an output of a first crypto- 
graphic function using at least a first portion of 
the first value as an input and a first key value 
as a key input, the first key value being at least 
a portion of an output of a second cryptographic 
function using at least a second portion of the 
first value as an input and a second key value 
as a key input. 

7. The method of claim 6. wherein the response has 
a second response value and further comprising the 
step of receiving a second value, where the second 
value is at least a portion of an output ol a third cryp- 
tographic function using at least a portion of the sec- 
ond response value as an input and a third key val- 
ue as a key input. 

8. The method of claim 7, further comprising the step 
of verifying the second value is equal to an expected 
second value. 

9. An authentication method, comprising the steps of: 

receiving a first value; and 
transmitting a response having at least a first 
response value and a second response value, 
where the first response value is at least part 
of an output of a first cryptographic function us- 
ing at least a first portion of the first value and 
at least a first portion of the second response 
value as inputs and a first key value as a key 
input, the first key value being at least a portion 
of an output of a second cryptographic function 
using al least a second portion of the first value 
as an input and a second key value as a key 

10. The method of any of claims 1 ,3 ; 6 or 9 wherein the 
first and second cryptographic functions are the 
same. 

11. The method of any of claims 1 ,3,6 or 9 wherein the 
first and second portions of the first value are the 
same. 

12. The method of claim 9, further comprising the step 
of receiving a second value, where the second val- 
ue is at least a portion of an output of a third cryp- 
tographic function using at least a portion of the sec- 
ond response value as an input and a third key val- 
ue as a key input. 

13. The method of claim 1 2, further comprising the step 
of verifying the second value is equal to an expected 
second value. 
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FIG 2 (PRIOR ART) 
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FIG 4 (p Rm ART) 
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